Non-Transferable Learning: A New Approach for Model Ownership Verification and Applicability Authorization

TL;DR

NTL addresses IP protection in AIaaS by learning domain-specific representations that intentionally limit cross-domain transfer. It introduces Target-Specified and Source-Only NTL, leveraging an information-theoretic objective and GAN-based augmentation to expand representation distance across domains, achieving robust ownership verification and data-centric applicability authorization. The approach demonstrates strong target-domain degradation with minimal source loss and effective domain restriction with patch-based authorization across several datasets, highlighting its potential for protecting proprietary models and controlling data usage. The work also provides theoretical support via information bottleneck-inspired analysis and MMD-based domain separation.

Abstract

As Artificial Intelligence as a Service gains popularity, protecting well-trained models as intellectual property is becoming increasingly important. There are two common types of protection methods: ownership verification and usage authorization. In this paper, we propose Non-Transferable Learning (NTL), a novel approach that captures the exclusive data representation in the learned model and restricts the model generalization ability to certain domains. This approach provides effective solutions to both model verification and authorization. Specifically: 1) For ownership verification, watermarking techniques are commonly used but are often vulnerable to sophisticated watermark removal methods. By comparison, our NTL-based ownership verification provides robust resistance to state-of-the-art watermark removal methods, as shown in extensive experiments with 6 removal approaches over the digits, CIFAR10 & STL10, and VisDA datasets. 2) For usage authorization, prior solutions focus on authorizing specific users to access the model, but authorized users can still apply the model to any data without restriction. Our NTL-based authorization approach instead provides data-centric protection, which we call applicability authorization, by significantly degrading the performance of the model on unauthorized data. Its effectiveness is also shown through experiments on the aforementioned datasets.

Figures (13)

• Figure 1: A visualization of the generalization bound trained with different approaches. The left figure shows Supervised Learning in the source domain, which can derive a wide generalization area. When Target-Specified NTL is applied (middle), the target domain is removed from the generalization area. As for Source-Only NTL (right), the generalization area is significantly reduced.
• Figure 2: The data of STL10 attached without/with the patch.
• Figure 3: Performance of CIFAR10, STL10, VisDA as source or target domain for Supervised Learning, Target-Specified NTL and Source-Only NTL.
• Figure 4: The augmentation data of MNIST generated by the generative adversarial augmentation framework.
• Figure 5: PDF-s of distribution $\mathcal{P}_{Z|0}$ and $\mathcal{P}_{Z|1}$. The blue curve is the PDF of $\mathcal{P}_{Z|0}$, and the green one is the PDF of $\mathcal{P}_{Z|1}$. The orange curve is the PDF of $\mathcal{P}_{Z|0}$ with a smaller variance (best view in color).